geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alan Cabrera <Alan.Cabr...@reuters.com>
Subject RE: securiy role mapping in openejb-jar.xml ?
Date Thu, 02 Sep 2004 18:39:37 GMT


> -----Original Message-----
> From: Prem kalyan [mailto:prem.kalyan@gmail.com]
> 
> thanx Alan,
> 
>            I have small question. Just out of curiosity, i may be
wrong
> 
> On Thu, 02 Sep 2004 10:54:57 -0400, Alan Cabrera
> <alan.cabrera@reuters.com> wrote:
> >
> >
> > > -----Original Message-----
> > > From: Prem kalyan [mailto:prem.kalyan@gmail.com]
> > >
> > > On Thu, 02 Sep 2004 10:22:03 -0400, Alan Cabrera
> > > <alan.cabrera@reuters.com> wrote:
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Prem kalyan [mailto:prem.kalyan@gmail.com]
> > > > > Sent: Thursday, September 02, 2004 10:04 AM
> > > > > To: user@geronimo.apache.org; dev@geronimo.apache.org
> > > > > Subject: securiy role mapping in openejb-jar.xml ?
> > > > >
> > > > > hi all,
> > > > >
> > > > >          I have few questions on security role mappings.
Before
> > that i
> > > > > want to put my understanding about security mappings.If there
is
> > > > > anything wrong in my understanding please let me know.
> > > > >
> > > > >         I think ,
> > > > >
> > > > > 1 . In ejb-jar.xml  we declare  security roles in
<security-role>
> > > > tags.
> > > > >
> > > > > 2 . In ejb-jar we specify which methods are accessed by which
> > roles
> > > > > using <role-name> in <method-permission>.
> > > > >
> > > > > 3 . In openejb-jar.xml we asscocite principals to security
roles ,
> > by
> > > > > this we are allowing
> > > > > all the principals in a role to access those methods which the
> > role
> > > > can
> > > > > access .
> > > >
> > > > So far so good.
> > > >
> > > >
> > > > > Qn :-
> > > > >
> > > > >         Why role mappings is part of each EJB.Since we already
> > defined
> > > > > what permissions does each role have on each ejb(using
> > > > > <method-permissions>) why doing it here again.
> > > > >
> > > > >         Isn't it  sifficient to map principals to roles in
> > > > openejb.jar?
> > > > >
> > > >
> > > > This level of indirection allows you to take your beans and use
them
> > in
> > > > an application server of another vendor, e.g. WebLogic.  The
mapping
> > of
> > > > principals to roles is an OpenEJB specific mechanism, hence it
is in
> > the
> > > > openejb-jar.xml file.
> > > >
> > > Alan still my question is not answered or i haven't got ur point
> > >
> > >     I got why  role mapping have to be  inside openejb-jar.xml .
> > >
> > >     but why it has to  inside every EJB in openejb-jar.xml.
> > >
> > >     if i have 10 beans do i have to declare my role mapping in
each
> > > and every bean.
> > >
> > >     Aren't role mappings independent of ejb security. I mean we
define
> > > the ejb security in method-permissions using role names.And role
> > > mappings is just to bind principals with a role names.
> >
> > If you only declare the principal to role mappings once, regardless
of
> > the number of beans in your jar.
> 
>                  Then why role-mapping entries part of ejb.Won't it be
> nice to have it outside EJB's , as an independent entry.If it has
> anyother advantage plz let me know
> 
> 
> thanx in advance,

Roles are specific to those beans that are in the same EJB jar file.
More specifically, their scope is limited to that jar.  Let me give an
example that illustrates why EJB jar files have this rule.

A role named BLACK in one EJB jar could represent low security workers
while the role BLACK in a different EJB jar could represent high
security managers.  The reason for this conflict in meaning for the role
of the same name is that the origin of those two jar files can be from
two different vendors.  


Regards,
Alan





-----------------------------------------------------------------
        Visit our Internet site at http://www.reuters.com

Get closer to the financial markets with Reuters Messaging - for more
information and to register, visit http://www.reuters.com/messaging

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.


Mime
View raw message